Booking engines – they make the worlds of travel and hospitality spin around. Estimated at over $US 500 billion, this market moves fast. These engines are a critical, nearly invisible part of the hospitality industry, and their security is essential to protect guests’ personal and financial information. Occasionally, booking technology falls victim to motivated threat actors who use vulnerabilities in code to get access to sensitive customer information such as name, address, email address, phone number, credit or debit card number, expiration date, and security code or card verification code.
This was the case of a cyber-attack discovered back in 2021 against the IRM Next Generation online booking engine built by Resort Data Processing, Inc. (“RDP”). This attack is probably not singular amongst the wide range of online booking engines built by various other software companies. However, it is closely related to an investigation that Bitdefender was called in for help. Incidentally, the results of the investigation also helped us understand how the 2021 cyber-attack against IRMNg took place and we’re drafting our findings in this report to help other business entities stay protected.
While investigating anomalous activity, Bitdefender researchers found malicious files on servers running the IRM Next Generation online booking engine built by Resort Data Processing, Inc.
Our investigation reveals the extent of the attack but also outlines several vulnerabilities in the IRM Next Generation online booking engine that were identified, catalogued and responsibly reported to the vulnerable vendor as per the timeline below.
April-May, 2023 – Bitdefender identifies issues in multiple components of the IRMNg application during a malware infection investigation
As a CVE Numbering Authority, we understand the importance of vulnerability disclosure. In the past decade, we have sent (and received) numerous vulnerability notifications. This time, our efforts to reach out to the vulnerable vendor remained unanswered. Given the fact that cyber-criminals are actively using these vulnerabilities and that our investigation revealed the existence of several other victims, we decided to make this information public.
We urge all companies using vulnerable versions of the IRMNG engine to evaluate the impact of these vulnerabilities and take appropriate action (you can also read a deep-dive into the attack on our Business Insights blog).
An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known indicators of compromise can be found in the full research paper available below: